Objective: To ensure protection of the organization\u2019s assets that is accessible by suppliers.<\/p>\n
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.<\/p> <\/div>\n<\/div>\n\n\t <\/div>\n\t \t<\/div>\n\t\t
Information security requirements for mitigating the risks associated with supplier\u2019s access to the organization\u2019s assets should be agreed with the supplier and documented.<\/em><\/strong><\/p>\n See also:\u00a0<\/p>\n All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization\u2019s information.\u00a0 \u00a0<\/span><\/em><\/strong><\/p>\n Establish and document supplier agreements to avoid misunderstanding between the organization and the supplier regarding both parties\u2019 obligations.\u00a0<\/p>\n Develop the agreements with suppliers and include: Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. Organizations can influence ICT technology supply chain, including cloud computing services, security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the information and communication technology supply chain.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/section>\n Organizations should regularly monitor, review and audit supplier service delivery.<\/em><\/strong><\/i><\/p>\n Changes to the provision of services by suppliers, including changes in policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.<\/span><\/em><\/strong><\/p>\n Organization changes its policies, procedures and security controls,<\/i>\u00a0that have impact on supplier services agreements. Changes may include:\u00a0 10. Supplier relationships\u00a0\u00a0 10.1 Information security in supplier relationships Objective: To ensure protection of the organization\u2019s assets that is accessible by suppliers. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-119","page","type-page","status-publish","hentry","has-post-title","has-post-date","has-post-category","has-post-tag","has-post-comment","has-post-author",""],"builder_content":" Objective: To ensure protection of the organization\u2019s assets that is accessible by suppliers.<\/p> Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.<\/p>\n Information security requirements for mitigating the risks associated with supplier\u2019s access to the organization\u2019s assets should be agreed with the supplier and documented.<\/em><\/strong><\/p> See also:\u00a0<\/p> All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization\u2019s information.\u00a0 \u00a0<\/em><\/strong><\/p> Establish and document supplier agreements to avoid misunderstanding between the organization and the supplier regarding both parties\u2019 obligations.\u00a0<\/p> Develop the agreements with suppliers and include: Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. Organizations can influence ICT technology supply chain, including cloud computing services, security practices by making clear in agreements with their suppliers the matters that should be addressed by other suppliers in the information and communication technology supply chain.<\/p>\n<\/section> Organizations should regularly monitor, review and audit supplier service delivery.<\/em><\/strong><\/i><\/p> Changes to the provision of services by suppliers, including changes in policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.<\/em><\/strong><\/p> Organization changes its policies, procedures and security controls,<\/i>\u00a0that have impact on supplier services agreements. Changes may include:\u00a0\n
a) identify and document the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;
b) define the types of information access that different types of suppliers will be allowed, and monitor and control the access;
c) define minimum information security requirements for each type of information and type of access and obligations of suppliers to protect the organization\u2019s information;
d) monitor adherence to established information security requirements for each type of supplier and type of access;\u00a0
e) define the procedure of handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;
f) define recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;
j) address awareness training for the organization\u2019s personnel interacting with supplier personnel.<\/li>\n<\/ul>\n\n
<\/span><\/li>\n<\/b>10.1.2 Addressing security within supplier agreements<\/b>\u00a0<\/h4>\n
a) description of the information to be provided or accessed, sensitivity of information (classification) and methods of providing or accessing the information;
b) legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured;
c) obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;
d) list of supplier personnel authorized to access or receive the organization\u2019s information or procedures or conditions for authorization;
e) incident management requirements and procedures (especially notification and collaboration during incident remediation);
f) training and awareness requirements for specific procedures and information security requirements, e.g. for incident response, authorization procedures;
g) relevant regulations for sub-contracting, including the controls that need to be implemented;
h) supplier\u2019s obligations to comply with the organization\u2019s security requirements and relevant agreement partners, including a contact person for information security issues;
i) screening requirements, if any, for supplier\u2019s personnel;
j) right to audit the supplier processes and controls related to the agreement;
k) conflict and defect resolution processes.\u00a0<\/p>\n10.2.1 Monitoring and review of supplier services<\/b><\/h4>\n
\n
10.2.2 Managing changes to supplier services<\/b>\u00a0\u00a0\u00a0<\/h4>\n
a) use of new technologies and development of any new applications and systems, including new development tools and environments;\u00a0
b) modifications or updates of the organization\u2019s policies and procedures;\u00a0
c) new or changed security controls;\u00a0
d) changes and enhancement to networks;\u00a0
e) changes to physical location of service facilities;\u00a0
f) change of suppliers;\u00a0
g) sub-contracting to another supplier.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/section> <\/div>\n<\/div>\n\n\t <\/div>\n\t \t<\/div>\n\t\t <\/div>\n\t \n\t<\/div>\n\t\n\t<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"10. Supplier relationships<\/b>\u00a0\u00a0<\/h4>\n
10.1 Information security in supplier relationships<\/b><\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
10.2 Supplier service delivery management<\/b><\/h4>
10.1.1 Information security policy for supplier relationships<\/b>\u00a0\u00a0<\/h4>
a) identify and document the types of suppliers, e.g. IT services, logistics utilities, financial services, IT infrastructure components, whom the organization will allow to access its information;
b) define the types of information access that different types of suppliers will be allowed, and monitor and control the access;
c) define minimum information security requirements for each type of information and type of access and obligations of suppliers to protect the organization\u2019s information;
d) monitor adherence to established information security requirements for each type of supplier and type of access;\u00a0
e) define the procedure of handling incidents and contingencies associated with supplier access including responsibilities of both the organization and suppliers;
f) define recovery and contingency arrangements to ensure the availability of the information or information processing provided by either party;
j) address awareness training for the organization\u2019s personnel interacting with supplier personnel.<\/li> <\/ul>
<\/li> <\/b>10.1.2 Addressing security within supplier agreements<\/b>\u00a0<\/h4>
a) description of the information to be provided or accessed, sensitivity of information (classification) and methods of providing or accessing the information;
b) legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured;
c) obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing;
d) list of supplier personnel authorized to access or receive the organization\u2019s information or procedures or conditions for authorization;
e) incident management requirements and procedures (especially notification and collaboration during incident remediation);
f) training and awareness requirements for specific procedures and information security requirements, e.g. for incident response, authorization procedures;
g) relevant regulations for sub-contracting, including the controls that need to be implemented;
h) supplier\u2019s obligations to comply with the organization\u2019s security requirements and relevant agreement partners, including a contact person for information security issues;
i) screening requirements, if any, for supplier\u2019s personnel;
j) right to audit the supplier processes and controls related to the agreement;
k) conflict and defect resolution processes.\u00a0<\/p> 10.2.1 Monitoring and review of supplier services<\/b><\/h4>
10.2.2 Managing changes to supplier services<\/b>\u00a0\u00a0\u00a0<\/h4>
a) use of new technologies and development of any new applications and systems, including new development tools and environments;\u00a0
b) modifications or updates of the organization\u2019s policies and procedures;\u00a0
c) new or changed security controls;\u00a0
d) changes and enhancement to networks;\u00a0
e) changes to physical location of service facilities;\u00a0
f) change of suppliers;\u00a0
g) sub-contracting to another supplier.<\/p>\n<\/section>","_links":{"self":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=119"}],"version-history":[{"count":8,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/119\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/119\/revisions\/269"}],"wp:attachment":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}